aml update – strengthening controls · • in the amlo, correspondent banking is designed as the...
TRANSCRIPT
AML Update – Strengthening Controls Seminars for Heads of Compliance and Money Laundering Reporting Officers 5 & 6 June 2014
Stewart McGlynn & Joyce Chan Anti-Money Laundering and Financial Crime Risk Division Banking Supervision Department Hong Kong Monetary Authority
Disclaimer
This presentation provides guidance to authorized institutions (“AIs”) on issues relating to the Anti-Money Laundering and Counter-Terrorist Financing (Financial Institutions) Ordinance (“AMLO”) and the AMLO Guideline. The presentation is provided for training purposes and does not form part of the formal legal and regulatory requirements of the HKMA. It should not be substituted for seeking detailed advice on any specific case from an AI’s own professional adviser.
The HKMA is the owner of the copyright and any other rights in the PowerPoint materials of this presentation. These materials may be used for personal viewing purposes or for use within an AI. Such materials may not be reproduced for or distributed to third parties, or used for commercial purposes, without the HKMA’s prior written consent.
3
Program Outline
Q&A
Implementation Issues
Observations from recent examinations
Future areas of focus
4 4
Correspondent Banking
4
AMLO Guideline
Paragraph 11.1 • In the AMLO, correspondent banking is designed as the provision of banking services
(such as credit, deposit, collection, clearing, payment or other similar services) by an AI (the correspondent) to another institution (the respondent) to enable the latter to provide services and products to its own customers. Correspondent banking activity can include establishing accounts, exchanging methods of authentication of instructions, etc.
Consistency issues have arisen over ‘the issue of authentication of information’
Constructive industry dialogue has taken place through HKAB AML Committee
5
What due diligence is required for SWIFT Relationship Management Application (RMA)?
AIs may adopt the principles set out in Paper - Wolfsberg AML Principles for Correspondent [2014]
Mere exchange of keys may not amount to a Correspondent Banking Relationship Where an exchange of non-payment related information is intended, relevant CDD may
be unnecessary Where payment related information is exchanged of intended to be exchanged then AIs
need to carry out CDD as required under AMLO It will be for the AI to demonstrate that a correspondent relationship does not exist and
that the AI is fully compliant with AMLO The HKMA will continue to closely scrutinise due diligence and risk management
practices over Correspondent Banking
Correspondent Banking
6 6
Verification of the Existence and Legal Form of a Trust
AMLO Guideline [Risk based - all examples can
meet the requirement] • To obtain appropriate evidence to
verify the existence, legal form and parties to a trust
• Examples: (i) sight of the instrument; (ii) ref. to an appropriate register; (iii) confirmation from the trustee
acting in a professional capacity; (iv) confirmation from a lawyer; and (v) for trusts that are managed by the
trust companies which are subsidiaries (or affiliate companies) of an AI, that AI may rely on a written confirmation from its trusts subsidiaries etc.
Pre AMLO Requirement
• To obtain satisfactory evidence of the existence, legal form and parties
• Example: – obtaining a copy of the trust deed
7
Understanding ML/TF Risk
AIs must understand the nature and level of ML/TF risks – Assessment should include all areas, including products, services,
targeted customers, entities or geographic locations – Detailed analysis of the data should be performed to identify and
assess the risk within these categories – Process for periodically reviewing and updating the risk assessment
must be adequate and may be assessed
Objective is to demonstrate that internal controls and AML/CFT programmes been developed to adequately mitigate those ML/TF risks – Board should consider whether the AML/CFT programme ultimately
leads to a reduction in ML/TF activity that has been identified
8 8
Understanding ML/TF Risk - Existing obligation
8
AMLO Guideline
2.1 AI must take all reasonable measures
2.2 Take into account risk factors
2.3 Product / Service risk
2.4 Delivery / Distribution channel risk
2.5-7 Customer risk
2.8 Country risk
3.3 An effective RBA does involve identifying and categorizing ML/TF risks at the customer level and establishing reasonable measures based on the risk identified
9
Regulatory Expectation
Objective is to assess the AI’s ML/TF risk profile and evaluate the adequacy of the its ML/TF risk assessment process
HKMA will obtain and review the AI’s ML/TF risk assessment as part of the examination scoping exercise: – Has AI included all risk areas, including any new products, services, or
targeted customers, entities, and geographic locations? – Is the process for periodically reviewing and updating the ML/TF risk
assessment adequate? – Is the risk assessment in written form? – Has the risk assessment been shared and communicated with all
business lines across the bank, board of directors, management, and appropriate staff? Do those staff understand the risk assessment?
ML/TF risk profile will be discussed with the AI
10 10
Purpose & intended nature of the business relationship
Means developing a more comprehensive picture of the customer and includes, for example, measures to establish customer’s occupation and source of funds
Key information for solid basis for ongoing monitoring – Guidance paper [December 2013] footnote 7 on Page 8 – Legal obligation under AMLO, section 2(1)(c) of Schedule 2
Meaningful steps must be taken, generic information insufficient
11
Source of Wealth
Fundamental control in Private Banking and Wealth Management
Observations: – Risk-based due diligence needs to be adequate, guidance to front line
staff needs to be clear – Adequate documentation should be maintained – Should not accept overly simplistic explanations at face value without
challenge – Strong oversight essential
Senior management must ensure there must be a culture in which RMs take responsibility for making ethical decisions based on knowledge of the customer
12
Regulatory Expectation
Information obtained must be meaningful – Risk-sensitive measures should be applied to verify information – Must be evidence of challenge and escalation where appropriate
especially where there are elevated risks associated with the relationship
Where relevant information about a higher risk customer’s source of wealth was obtained, verify this and do not put reliance solely on the word of customers – Should not be routine
13
Internal Audit
Effectiveness of Internal Audit Reviews – IA should play a strong role and identify control failures – Specialist resources may be used where appropriate
Frequency & scope of reviews must address Bank’s risks – Correlation with risk assessment will be examined
Observations of recent IA and compliance reviews on AML controls often do not drive change – Quality issues or information not discussed at sufficiently senior level
14 14
Transaction Monitoring
14
Guidance Paper
3.6 AIs should take into account the size, nature and complexity of its business in an appropriate assessment, prior to the launch of the transaction monitoring system. To ensure adequate coverage of its business operations, the assessment should take into consideration the question of whether to implement, and if so the appropriate degree of, automation that is required for the transaction monitoring system. This assessment should be in writing as a record of the rationale for adopting the system, including how it meets the AI’s needs and other material factors such as the appropriateness of the system vendor, the effectiveness of the interface between the new system and the AI’s existing infrastructure, how updates will be undertaken and any resource implications.
15 15
Transaction Monitoring
15
Guidance Paper
3.11 AIs should ensure, through the establishment of policies and procedures, the requirement to periodically review the transaction monitoring system. This should include an assessment of the transaction characteristics it monitors, risk factors, parameters and thresholds used to ensure they remain optimal for the AI and address ML/TF risk, taking into account changes in business operations and developments in ML/TF methods.
16
Transaction Monitoring
Are the AIs transaction monitoring systems adequate, given their business activities and size?
Depending on nature and scale of the AI, automated systems may be important for effective AML controls – Role of senior management emphasised in recent guidance paper
Understanding risks – the starting point – Sufficiently detailed system review is required
Should have a clear understanding of what the system could deliver / limitations – TM can only supplement, not replace human element
17
Section 5(1)(a) of Schedule 2 to the AMLO
“A financial institution must continuously monitor its business relationship with a customer by reviewing from time to time documents, data and information relating to the customer that have been obtained by the financial institution for the purpose of complying with the requirements imposed under this Part to ensure that they are up-to-date and relevant”
Ongoing Due Diligence
18
“From Time to Time” / “Periodic”
Paragraph 4.7.12 - FIs should take steps from time to time to ensure that the customer information that has been obtained for the purposes of complying with the requirements of sections 2 and 3 of Schedule 2 are up-to-date and relevant. To achieve this, an FI should undertake periodic reviews of existing records of customers.
Ongoing Due Diligence
19 19
Verifying Corporate Identity
19
Paragraph 4.9.11 4.9.11 The FI should verify the information in paragraph 4.9.10 from:
for a locally incorporated company:
(a) a search of file at the Hong Kong Company Registry and obtain a company report;
for a company incorporated overseas:
(b) a similar company search enquiry of the registry in the place of incorporation and obtain a company report;
(c) a certificate of incumbency or equivalent issued by the company’s registered agent in the place of incorporation; or
(d) a similar or comparable document to a company search report or a certificate of incumbency certified by a professional third party in the relevant jurisdiction verifying that the information at paragraph 4.9.10, contained in the said document, is correct and accurate.
20
STRs made to JFIU in the past 10 years
13,570 12,449 13,041 12,789 12,388 12,602 16,551 17,194 19,202
27,328
- 5,000
10,000 15,000 20,000 25,000 30,000 35,000
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
• Represents number of STR made by Banks (As of 31 May 2014, 12,931 STRs had been filed by banks)
21
S12(3), 12(4) and 12(5) of Schedule 2 to the AMLO
Before carrying out a wire transfer, a financial institution that is an ordering institution must record (i) the originator's name; (ii) the originator’s account number and (iii) the originator’s address.
Ordering Institution must include the verified originator’s information in the wire transfer message.
Wire Transfers
22
Observations during examinations:
– Automatic extraction process needs oversight
Adequate IA or Compliance review is important
– Sampling important
Straight forward AMLO provision
Wire Transfers
23 23
Governance
Ownership by all stakeholders, including commitment of the Board and senior management of Banks, to strong AML culture and controls – Training may have to be very specific at board level, tailored for executive
management Can the board and senior management see what the real risks are?
– Is there audit evidence of how senior management make decisions on ML/TF risks?
– Are they the correct decisions? – Responsibility AIs to decide
24
25
Key Points
Risk Assessments – National Risk Assessment [‘NRA’] will commence soon – Understanding ML/TF risks central to strong AML/CFT systems for AIs
Understand purpose and intended nature of relationship – Retail – will help to reduce exposure to criminal activity – PBs – source of wealth and funds remains a core CDD component
Perform Gap Analysis on Guidance paper on Transaction Monitoring – Review system requirements and level of automation that may be
required, now and in the future Periodic reviews are important to ensure CDD is up to date and
relevant Quality of STR reporting
– Self assess - be proactive and have a plan to improve quality Understand and mitigate ML/TF risks in Trade Finance
– Future supervisory focus
Questions